Cybersecurity guidance

NIST Posts Updated Guidance for Cybersecurity Engineers, Programmers

The National Institute of Standards and Technology has published updated guidance on the engineering and programming aspects of cybersecurity.

In a document titled “Engineering Trustworthy Secure Systems,” NIST outlined engineering-driven ways to develop more defensible and survivable systems.

Engineering-based solutions are critical for managing today’s complex systems such as cyber-physical systems and systems-of-systems, NIST said.

NIST said the publication is an attempt to incorporate security engineering methods, practices and techniques into software engineering standards established by groups like the International Organization for Standardization, the International Electrotechnical Commission and the Institute of Electrical and Electronics Engineers.

The objective is to help systems engineers implement processes designed to ensure that security requirements are addressed with enough rigor throughout the system’s life cycle.

NIST said that systems engineers cannot take a stovepiped approach to protecting complex systems such as by isolating the fields of cyberspace, software and information technology from each other.

Rather, security professionals must take a “holistic approach to protection, broad-based thinking across all assets where loss could occur, and an understanding of adversity, including how adversaries attack and compromise systems,” in order to build trustworthy, secure systems.

NIST said the update is a response to the frequency and severity of cyberattacks on federal, state and local governments as well as private-sector organizations.

In 2021, the United States faced multiple high-profile cybersecurity incidents such as the Russia-linked SolarWinds hack, which reportedly compromised the networks of at least nine federal government agencies and hundreds of American companies.